Blog

Prakash Galande
DDoS attacks spreading through ‘GodMode’ exploit – CVE-2014-6332
January 19, 2017

We have recently observed an increase in the exploitation of the famous ‘GodMode’ exploit of the vulnerability CVE-2014-6332. The reliable proof of concept (POC) or exploit code for CVE-2016-6332 is readily available on the Internet. This makes it easy for attackers to integrate the exploit in various campaigns. They just have to flip the malware payload to start a new campaign. Most of the active Exploit Kits (EKs) such ‘RIG’ and ‘Sundown’ have integrated exploits for CVE-2014-6332. Apart from EKs, the exploit is also spreading through various compromised, malicious websites.

In this blog post, we will take a look at the one such attack where exploitation of the ‘GodMode’ vulnerability CVE-2014-06332 was dropping a malware payload called DDoS Nitol.

Exploitation Cycle

The exploit was being dropped from domain ‘1128[.]me’ and was resolving to IP 43.249.8[.]78. The exploit domain is registered in ‘Panama’ as per whois lookup. The Geo-location of the IP lies in ‘China’. The domain names observed in the DDoS campaigns were short in length and had numerical values as part of the domain name.

Fig 1. Exploitation Cycle

Fig 1. Exploitation Cycle

Exploit Analysis

The exploit first does version checking of Windows OS and Internet Explorer to check the compatibility. The exploit code only gets loaded on 32 bit Windows OS and on Internet Explorer.

Fig 2. Version Checking of Windows OS and Internet Explorer

Fig 2. Version Checking of Windows OS and Internet Explorer

After version checking, the exploit code moves ahead and the function ‘Over’ is called. The type confusion vulnerability is triggered when resizing of array ‘aa’ is done. The detailed analysis of the vulnerability can be found here.

Fig 3. Vulnerability (CVE-2014-06332) trigger code

Fig 3. Vulnerability (CVE-2014-06332) trigger code

Disabling ‘safemode’ Flag

By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by ‘safemode’ flag. The default value of ‘safemode’ flag is always ‘0xE’. If the default value of ‘safemode’ flag is changed then using VBScript, malicious activity can be performed. Controlling of ‘safemode’ flag using VBScript in web browsers has been called ‘GodMode’. Thus, this exploit is famously known as ‘GodMode’ exploit.

Fig 4. ‘setnotsafemode’ function

Fig 4. ‘setnotsafemode’ function

The exploit code shown in Fig 4 changes the ‘safemode’ flag value to ‘0’ using ‘setnotsafemode’ function.

Fig 5. ‘safemode’ flag value changed

Fig 5. ‘safemode’ flag value changed

After ‘safemode’ flag is disabled, the ‘runmumaa’ function is called which downloads the malware from the URL ‘hxxp://98.126.14[.]54/api/ax.exe’ and executes it using ‘wscript’.

Fig 5. Payload and execution

Fig 6. Payload and execution

Payload Analysis

The payload ‘ax.exe’ is executed by the exploit code and performs the activities mentioned below.

  • Connects to a remote Command and Control (CnC) server to report its installation & infected system OS version, computer name, etc.
  • Receives commands from CnC and executes them.
  • Downloads and execute arbitrary files from a CnC server.
  • Copies itself to ‘C:\WINDOWS\’ and adds an autorun entry with a random service name in order to execute at system restart.
    • Dropped file name is ‘C:\WINDOWS\jaxdaw.exe’
    • Service created with random name like ‘Jklmno Qrstuvwx Abc’
  • Once the autorun entries are added, the malware deletes itself with the command ‘ShellExecuteExA ‘/c del %Sampl_dir%\\ax.exe > nul\0’

Important activities observed:

  • The malware spreads on the network.
  • The malware launches DDoS attacks on websites specified by the CnC server.

Network Spreading Activity

For spreading on shared drives on the victim’s system, it uses a quick dictionary attack using all possible combinations from the usernames and passwords mentioned below.

Fig 6. Dictionary of usernames and passwords

Fig 7. Dictionary of usernames and passwords

The malware tries to connect to each shared drive using API ‘WNetAddConnection2A’.

Fig 7. Connection to shared drives

Fig 8. Connection to shared drives

Once access to any shared drive is gained using the dictionary attack, the malware copies itself to that shared drive using API ‘CopyFileA’.

Fig 8. Copying to shared drives

Fig 9. Copying to shared drives

Once copied, it executes the copied malware using command ‘at’ on a specified scheduled time such as ‘13:11’ shown in Fig 10.

Fig 9. Execution on shared drives

Fig 10. Execution on shared drives

DDoS Activity

The malware receives commands from the CnC server in order to initiate DDoS attacks. The CnC server sends commands of various combinations with the parameters mentioned below.

DDoS command parameters:
Command Code, Target webiste, Port Number, IE version, NT version, User-Agent, Referrer, etc.

At the time of analysis, the CnC server was inactive, so we did not receive actual commands from the server. The unidentified CnC parameters in the commands listed below are mentioned with ‘%s’ or ‘%d’. The malware supports 22 commands which specify the type of DDoS attacks to be carried out on the target website. The CnC commands also access various types of resources such as text, image, etc., for the attack. They also use different user agents such as ‘Baiduspider’. Below are some of the DDoS commands.

DDoS Commands

Fig 10. DDoS commands

Fig 11. DDoS commands

The following figure shows the loop for DDoS attacks carried out through ‘send’ API request.

Fig 11. DDoS Attack Loop

Fig 12. DDoS Attack Loop

Also, you can see many branches coming to the same code at the top, as shown in Fig 12. This is because commands are different but many of them use same ‘send’ API for the attack.

The CnC server address is kept in an encrypted form in malware payload; a two-level encryption is used. The first level is base64 and second level is custom ADD + XOR encryption as shown in Fig 13.

Fig 12. CnC URL encryption/decryption

Fig 13. CnC URL encryption/decryption

DDoS.Nitol Hits Trend

As observed in Quick Heal Labs, below is the trend of the DDoS Nitol over the last month.

Fig 11. DDoS Nitol hits trend

Fig 14. DDoS Nitol hits trend

Indicator of Compromise

Exploit Server IP 43.249.8[.]78
Exploit URL 1128[.]me
Payload MD5 0B15E700EE99383BAD9915F0FB939D3D
Payload Filename ax.exe
Paylaod CnC URLs hack.1128[.]me:520
ip.yototoo[.]com

Conclusion

By using reliable exploit codes available on the Internet for CVE-2014-6332, it’s becoming easier for attackers to launch various types of mass infection campaigns. As we have seen in this case, a DDoS attack can be launched by dropping the DDoS malware Nitol. With the network spreading functionality inside, Nitol makes it for a deadlier attack as it can compromise mass machines present on the network. We strongly recommend users to update the Windows Operating Systems and use a multilayered security software such as Quick Heal. 

ACKNOWLEDGMENT

Subject Matter Experts

  • Pallavi Pangavhane
  • Prakash Galande
  • Pradeep Kulkarni
    – Threat Research and Response Team

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Prakash Galande
About Prakash Galande
Prakash Galande is a security researcher in Quick Heal with more than 4 years of experience. He is passionate about reverse engineering and writing about IT...
Articles by Prakash Galande »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image